Poverty/BurntCigar, first discovered by Mandiant, is a malicious kernel driver used in conjunction with a bootloader called Stonestop that attempts to bypass Microsoft Driver Signature Enforcement. Both the driver and the loader are largely obfuscated by commercial or open source packagers, such as VMProtect, Themida or ASMGuard.
The driver tries to disguise itself by using the same information on its properties page as the driver of a commercially available program called Internet Download Manager, by Tonec Inc. compile the information from it.
Ransomware gangs known to use Poverty include Cuba, BlackCat, Medusa, LockBit and RansomHub, Sophos said.
Source link